When configuring ISE pxGrid Identity Mapping (ISE 2.0 naming)/PassiveID (ISE 2.1 naming) integration with Active Directory, there are certain audit settings and permissions that need to be set in order to allow the security audit logs to be read by ISE. If you've ever configured Cisco Context Directory Agent, you're about to receive a blast from the past. This is because the settings and permissions are exactly the same. The Cisco ISE configuration guide even references the CDA documentation when talking about the permissions needed for ISE to communicate for PassiveID. The use case for this is if you're utilizing EasyConnect which is a way for ISE to detect Active Directory successful authentications and grant access based on that. While this may be ideal as a main policy for smaller environments, I think it might also serve as a great default policy for some larger environments instead of a a default rule of "Deny All" depending on the strictness of the security policy.

I'll go through the requirements in order to set up PassiveID between your ISE server and Active Directory:

Make sure that you have network connectivity between your AD and ISE servers and the ports referenced in the above config guide are open if there is a firewall or software firewall in the way

If you are using Server 2008 instead of Server 2012 like I am in my lab, make sure that the patches referenced in the CDA documentation are installed

Make sure that the GPO's Audit policy is correctly configured - I will be going through that in this blog post so continue reading :)

Make sure that the user you are using to establish the connection between the ISE server and the AD Controller has sufficient permissions. There are different requirements for a Domain Admin and a non-Domain Admin and you will have to make some changes to ensure both work. It's obviously easier to do it with a Domain Admin account since regular Domain User account require a lot of changes but in certain environments that have very tight RBAC requirements, it might be necessary to keep that separate of duties and have a service account for PassiveID integration. I will be using my Administrator account for my lab but I'll go over the requirements for both Domain Admins and non-Domain Admins:

For members of the Domain Admins, you will need to ownership of the following registry keys and give your domain admin account Full Control of the following keys:

The user must have permission to use the DCOM on the domain controller.

The admin can run the dcomcnfg tool from the CLI.

Expand Component Services

Expand Computers and click on My Computer

Select Action from the menu bar, click on properties and click on COM Security

Make sure the user account has Allow permissions for Access and Launch. The user account should be added to all four options (Edit Limits and Edit Default for both Access Permissions and Launch and Activation Permissions)

Allow all Local and Remote access for both Access Permissions and Launch and Activation permissions

User account needs to have permissions to the WMI Root\CIMv2 name space.

Go to Start>Run and type wmimgmt.msc

Right-click WMC Control and click Properties

Under the Security tab, expand Root and choose CIMV2

Click Security

Add the user account and give the required permissions of Allow for Execute Methods, Enable Account and Remote Enable

Access to Read the Security Event Log of the AD Domain controller - This can be done by adding the user to the Event Log Readers group in AD.

For regular domain users to be used, certain registry keys need to be added manually to establish a valid connection between CDA and domain controllers to retrieve the users login authentication events. You can copy the following into a text file, rename it with .reg extension and double-click it to make the registry changes:

The owner of the keys must be the user account. Also, make sure that you include two spaces in the value of the key "DllSurrogate." Keep the empty line at the end of the script above

The Active Directory user used by PassiveID can be authenticated either with NTLMv1 or NTLMv2. You can verify this or manually set it in your GPO.

If you still have your GPO open at this point, we're go ahead and make the following changes to ensure that the Audit policy is correctly logging everything we'll want for PassiveID Identity Mapping. Change the following settings on your GPO: